A glitch in split-tender payment processing allowed a group of criminals based in Miami to steal more than $1.5 million, according to the Justice Department. The scheme exploited a flaw in a retailer’s specific payment processing software rather than a vulnerability anyone could easily use.
According to the DOJ, the men purchased expensive merchandise and split the cost between two debit cards, then returned the items in-store. While one refund was being issued to the first card, accomplices deliberately stalled the second refund by presenting incorrect cards or entering wrong PINs.
During the return, others monitored the first card’s account remotely and quickly withdraw or transferred the credited funds. The delay on the second card kept the first transaction open, resulting in repeated credits to the first card.
Incorrectly Coded Software
This is not how payment processing normally works, which suggests the criminals had found a flaw in a specific point-of-sale (POS) system.
“If the POS software was coded correctly, it would have processed the split-tender refund as two transactions,” said Don Apgar, Director of Merchant Payments at Javelin Strategy & Research. “So when the credit to the second card failed, it would only re-attempt that credit, not start over and re-credit the first card as well.”
Another key factor was their knowledge that the store offered instant refunds.
“While one crook was in the store playing the game, his accomplice was withdrawing funds from the first card after each credit was applied,” said Apgar. “Normally, refunds wouldn’t hit a debit account until the following day, but there are new technologies that enable real-time credits, such as Visa Direct. The crooks would have to know that this store was using newer payout rails so they could grab the erroneous credits in real time before they were reversed.”
Leaving Retailers Vulnerable
The retailers affected by the scheme were not named in the indictment—possibly to avoid drawing attention to vulnerabilities in the software. The indictment noted that the scheme was carried out at dozens of stores in various cities across the country.
“This is such an arcane scheme,” said Apgar. “It sounds like one of these guys had insider info on this glitch in the store’s POS software.”
